Why you should have Incident Response playbooks

Tuesday, 9 May, 2023

screenshot of incident response playbook document which can be downloaded using link below

Cydea’s Incident Response plan template

Incident, n: “An event that is either unpleasant or unusual.” – Cambridge English Dictionary

How confident do you feel that, if your company was hit by a cyber incident, you and your team know what to do, and in what order? Do the responsible people know their roles? Do they know what the priority systems are?

Incident Response (IR) playbooks are pre-thought plans of action to help you work through, and write down, answers to questions like these - in advance.

It’s very likely that you’ve already experienced an incident response plan, without even knowing it. So let’s look at a couple of examples, and think about: what was the point? Why was it a good idea to have the playbook? Was testing it really necessary?

School fire drills:

  • Participants practise following a playbook, and learn to associate the alert with the required actions
  • Organisers are testing the playbook:
    • Were people too slow getting out? Why?
    • Were they able to account for everyone who did get out?
      • Could they identify those who were still in the building?

If you want an example of what happens when a playbook isn’t known, practised and followed, watch the first fire drill scene from Kindergarten Cop.


  • Every aircraft safety card communicates the passengers’ responsibilities for a number of possible incidents.
    • The better everyone understands their responsibilities, the better the likely outcomes in a real emergency - which for passengers, means a better chance of survival
  • If there is an incident with the aircraft: the pilot gets out a checklist
    • This is a practised, updated playbook, available to those who need it at the moment it is needed

Periods of high stress and panic are not the time to be relying on memory or to expect rational, considered decision making. It’s better to plan for this sort of situation in advance, without the stress and panic.

It’s good to plan ahead

As defined by the National Cyber Security Centre, a cyber incident is “a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems”. Or as the Cambridge English Dictionary would say, an unusual or unpleasant event that happens on, or to, your digital systems and information.

Like school drills and aircraft safety cards, organisations that have prepared a plan are more effective at responding to incidents.

Importantly, your team doesn’t have to memorise the plan; they just need to know where to find it, and who is responsible for taking each action.

Will your team be Arnie and his class running around in a mad panic, trying to do everything at once and not getting where you need to be on time? Or will they be organised and efficient, contacting the right people, and aware of the priorities - leaving their working memory free to apply the skills and knowledge you hired them for to the details of the problem at hand?

You can be less like Arnie by writing an IR playbook of your own. It doesn’t need to take very long, or be a very arduous task. It’s mostly about documenting things that many people on your team already know in their heads.

Before you get started on your playbooks - have you got an Incident Response plan in place? This is the top-level plan, to which your playbooks add granularity.

Think of it like this: you make a plan to spend the weekend building an epic lego model. How are you going to get from no lego to a completed model? The initial steps are going to be the same regardless of what model you end up buying: go to the store, choose the lego, pay for it, bring it home, etc. It’s only once you open the box that the details change - now what do you do? How do you go from a box of loose pieces to the picture on the box? You follow the detailed instructions specific to that model.

Your IR plan is like the process of buying the lego: written at a high enough level to be applicable no matter the incident; your playbooks are like the instruction sheets: specific to a particular incident type.

Cydea has an Incident Response plan template you can use and remix to suit your team’s needs..

Photo by Kelly Sikkema on Unsplash